Operating System

Securing Mobile Computers with WindowsXPProfessional

By Nick George

Microsoft Corporation

Published: October2001

Abstract

This article examines specific threats that can affect mobile computers—also known aslaptop or notebook computers. It also covers how the security tools and privacy services included in the Microsoft®Windows® XP Professional operating system provide solutions to combat these threats.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2001 Microsoft Corporation. All rights reserved. Microsoft, Windows, and WindowsNT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Other product and company names mentioned herein may be the trademarks of their respective owners.

Microsoft Corporation • One Microsoft Way • Redmond, WA98052-6399 • USA

Contents

Acknowledgements

Introduction

Understanding Security Threats to Mobile Computers

Data Loss and Theft

Network Penetration

Eavesdropping on Wired and Wireless Sessions

Password Cracking

Exposure of Confidential Data

Security Technologies in Windows XP

Group Policy Objects and Smart Card Authentication

Managing Network Authentication—Guest Account

Syskey Encrypts the SAM Database Using Strong Encryption

Mobile Network Access Technologies

Virtual Private Networking

802.1X—Encryption Key Management

IrDA

PPPoE Client

Callback

Encrypting File System

EFS Architecture

EFS and NTFS

Maintaining File Confidentiality

How EFS Works

Configuring EFS for Your Environment

What Can Be Encrypted

Encrypting Offline Files

Encrypting the Offline Files Database

Certificate Services

Certificate and Public Key Storage

Private Key Storage

User Certificate Autoenrollment

Credential Management

Credential Prompting

Stored User Names and Passwords

Remote Access uses Credential Manager Keyring

Keyring

Summary

Related Links

Acknowledgements

David Cross, Windows Security Program Manager, Microsoft Corporation

Jason Garms, Windows Security Program Manager, Microsoft Corporation

Praerit Garg, Windows Security Lead Program Manager, Microsoft Corporation

Jason Anderson, Consumer Platform Technical Evangelist, Microsoft Corporation

Michael Kessler, Technical Editor, Microsoft Corporation

Introduction

This article examines specific security threats applicable to mobile computers—also known as laptop ornotebook computers, along with the security tools and privacy services included in the Microsoft® Windows® XP Professional operating system that provide solutions to combat these threats.

Only a few of the security benefits identified in this article are available to non-domain-connected computers; where applicable these benefits will be identified.

Organizations are reevaluating their internal controls and are making the protection of mobile computing a top priority, as discussed in the ZDNet article, Wolves at the Door. Microsoft Windows XP addresses this security imperative with a range of features designed to provide strong security while preserving the flexibility and power that information security managers have come to expect from an enterprise operating system. If you’re an information security manager, you can also customize WindowsServer 2003, including the deployment of Group Policies, to provide a secure working environment.

For a great overview article describing the new security features and policies available in Windows XP, read the articleWhat’s New in Security for Windows XP Professional and Windows XP Home Edition—many of the security topics included in that article are presented here in the context of mobile computing security.

How This Article is Organized

This article is comprised of two parts:

Understanding SecurityThreats to Your Mobile Computer
This section examines the most worrisome mobile computing security threats and summarizes the related Windows XP Professional solutions.

Security Technologies in Windows XP
This section details the security technologies included in Windows XP Professional.

Understanding Security Threats to Mobile Computers

This section catalogs the security threats to mobile computers and identifies ways that Windows XP deals with these threats.

Whenever a mobile computer is outside the enterprise’s physical security boundary, theft of the computing device and the data it contains is a primary concern.If theft does occur, the initial data loss problem escalates to potentially having an unauthorized person penetrate the network via remote dial-up or wireless networking.

WarningThe mobile computer is subject to all typical computer security threats.

Data Loss and Theft

Data loss may not seem like a security threat, but it is, as illustrated by the Third ImmutableLaw of Security from the Microsoft TechNet articlewhich states: ”If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.”

By design, mobile computers and many new types of portable devices have a higher risk of being stolen than a non-portable device. Often these machines hold important company data and represent a security risk if stolen;this point is illustrated in aComputerworld articleoutlining the security lessons learned when the chairman of a large telecommunications firm had his laptop computer stolen.

Protecting Against Data Loss

The Encrypting File System (EFS) in Windows XP Professional enables you to protect yourself against the loss of stolen data. This security feature obscures data on the hard drive and renders it useless to anyone without proper credentials.

Windows XP also incorporates Intellimirror® technology and supports redirection of the My Documentsfolder, whereby a user’s data is stored centrally.EFS, coupled with the capability to locally cache your network-based files and folders,provides the highest level of security, full-time access to data, and the convenience of centralized network file backup.

NoteEFS, offline folders and file caching are features of Windows XP Professional, and are not included in Windows XP Home Edition.

Network Penetration

Network penetration is a serious security threat that can occur as a result of information gleaned from a stolen or non-secure mobile device. Many network penetrations are committed by individuals using stolen mobile computers.

The following Windows XP features limit the risk of network penetration:

  • Access control management curtails the anonymous access associated with the Internet.
  • Simple Sharing limits access to only those network resources provided to guest accounts.
  • Force Guest restricts access to unauthenticated user accounts within a domain.
  • Automatic smart card enrollment and self-registration authority provide enhanced security for enterprise users by adding another layer of authentication.
  • Credential Manager enablesstored or cached user credentials to be encrypted so that only authenticated users have access to stored credentials.
  • Internet Connection Firewall (ICF) provides baseline intrusion prevention functionality to computers running the Windows XP operating system. It’s designed for computers directly connected to a public network as well as computers that are part of a home network when used with Internet Connection Sharing

Eavesdropping on Wired and Wireless Sessions

Another way the security of your business and personal data can be compromised is through network sniffing or “eavesdropping”.

Remote computing, inboth wired and wireless networking scenarios, is becoming a common part of business life—along with the security risks associated with this practice. By default, email headers and content are transmitted in clear text, and if no encryption is used, the content of a message can be read or altered in transit.In another example, a header can be modified to hide or change the identity of the sender, or to redirect the message. As a result, security using wired and wireless networks is becoming more and more crucial as companies continue to use public infrastructure to transport company data.

Enterprise Security Management Issues

There’s a growing interest in using the IEEE 802.11 networking protocol as an enterprise-deployable technology; but enterprise security management issues still remain. These issues include:

  • Open and visibleservice set identifiers(SSID) are an inherently weak security mechanism.
  • Wired Equivalent Privacy (WEP) key attacksare theoretically possible using publicly available tools.
  • IEEE 802.11 WEP key management islacking a protocol for distribution of keys.
  • Lack of authentication and encryption services in a wireless 802.11 ad hoc network mode raises security concerns when users engage in peer-to-peer collaborative communication in areas such as conference rooms.

Protecting Remote Computing Sessions

Windows XP limits the risk of having remote computing sessions intercepted in the following ways:

  • Protects communication over the Internet using virtual private networks (VPN) and integrated tunneling and encryption technologies. These technologies include: Internet protocol security (IPSec); Layer 2 tunneling protocol (L2TP); public key infrastructure (PKI); and Point-to-point tunneling protocol (PPTP).
  • Provides for zero configurationnetworking and roaming enhancements to make transitioning between wireless networks easy.
  • Supports the IEEE 802.1X protocol to make it easier to manage wireless devices, control the flow of data through wireless access points, and periodically challenge and re-authenticate the wireless stations attached to those wireless network access points.
  • Supports WEP,the first-generation IEEE802.11 wireless access session security protocol. (Enterprise networks should be configured with IEEE 802.1X to control wireless sniffing threats against IEEE802.11 network configurations).
  • Provides callback access support, a mobile network access technology that instructs a remote access server to disconnect, and then call you back after you dial-in.
  • Supports remote access and VPN—including support for credential keyring

NoteFor more information about wireless network configuration, and security issues related to the IEEE 802.11 protocol, see read Wireless LAN Technologies and Windows XP.

Password Cracking

Many network penetrations are committed either by individuals using stolen mobile computers, or by unauthorized users having access to an authorized user’s machine. Typically, mobile computers that are part of a domain are more secure because domain members' credentials are centrally stored, and can only be changed at a domain controller, which, if best practices have been followed, will be the most heavily-defended machine in a network.

Protecting Credentials

Remote computing dial-up applications that allow the end-user to cache their network access credentials aren’t helping secure corporate networks—network security managers should implement passwordpolicies that enforce strong passwords, force password entry when resuming from system power management standby modes and screensavers, and prohibit the caching of remote access credentials.

Windows XP reduces the risk of exposing confidential data, such as passwords; Syskey encrypts the password hashes stored in the Security Account Manager (SAM)

Protecting Standalone Computers

Mobile computers that are not part of a managed domain are even more at risk as a result of the lack of enforceable security policies. By default, user accounts configured on a Windows XP computer that is not joined to the domain do not have passwords associated with them for convenience sake. While this is acceptable in a home desktop environment, small business and home mobile users need to take extra steps to ensure that accounts configured on these systems have strong passwords associated with them.

Exposure of Confidential Data

Virtually all corporate employees have some sensitive material on their computers that needs to be protected against improper disclosure. Through education and corporate policies, users should be encouraged to store sensitive documents on network servers.Where this policy is too restrictive, Windows XP Professional provides ways to reduce the risk of exposing confidential data.

Reducing the Risk of Exposure

Windows XP Professional reduces the risk of exposing confidential data in the following ways:

  • NTFS and EFS scramble the contents of documents so that they’re unreadable by unauthorized users.
  • Controlled network access, including support for dial-up connections, limits exposure to authorized uses.
  • Blank password restriction enforces basic security principles.

Protecting Standalone Computers

Users of mobile computers that are not part of a managed domain also store sensitive data on their machines. For these non-domain-connected machinesNTFS and EFS, coupled with strong user passwords, is the best defense.

Security Technologies in Windows XP

This section focuses on Windows XP security technologies that support mobile computing—security technologies applicable exclusively to desktop computers are not covered.

NoteFor a complete description of security technologies in Windows XP see What’s New in Security for Windows XP Professional and Windows XP Home Edition.

If you are already familiar with the security model in Microsoft WindowsNT® 4.0 and Microsoft Windows2000, you will recognize many of the security features in WindowsXP Professional. At the same time, you will also find a number of familiar features that have changed significantly, and new features that will improve your ability to manage system security.

Windows XP provides several methods for managing security. Knowledge of how Windows XP security features work provides aframework for understanding how to design and maintain a secure environment where mobile computers are part of a domain.

Mobile Computing Security Framework

Windows XP Professional includes a number of features that businesses can use to protect selected files, applications, and other resources on both desktop and mobile computers. These features include access control lists (ACL), security groups, and Group Policy—in addition to the tools that allow businesses to configure and manage these features. Together they provide a powerful, yet flexible, access control infrastructure for business networks.

Windows XP offers thousands of security-related settings that can be implemented individually. It also includes predefined security templates that can be used without modifications, or used as the basis for a more customized security configuration.

Using Security Templates

Businesses can apply security templates when they:

  • Create a resource, such as a folder or file share, and either accept the default access control list settings or implement custom access control list settings.
  • Place users in the standard security groups, such as Users, Power Users, and Administrators, and accept the default ACL settings that apply to those security groups.
  • Use the Basic, Compatible, Secure, and Highly Secure Group Policy templates that have been provided with the operating system.

Settings and Tools

Each of the Windows XP security features—ACL, security groups, and Group Policy—have default settings that can be modified to suit a particular organization, and in particular the mobile computer. Businesses can also make use of relevant tools to implement and modify access control. Many of these tools, such as the Microsoft Management Console (MMC) snap-ins, are components of Windows XP Professional. Other tools are included with the Windows XP Professional Resource Kit.

Key Security Features for Mobile Computing

The following list outlines the Windows XP security features thatsupport mobile computing. These security features are described in greater detail in the sections that follow.

  • Group Policy Objects—smart card authentication
  • Managing Network Authentication—Guest account used for internet logins
  • Syskey encrypts the SAM database using strong encryption
  • Mobile Network Access Technologies
  • Virtual Private Networking
  • 802.1X—encryption key management
  • Infrared Data Association (IrDA)—allows user control of access and file transfers
  • Point-to-point protocol over Ethernet (PPPoE)client
  • Callback
  • Encrypting file system
  • EFS and NTFS
  • Encrypting offline files and the offline files database
  • Certificate services
  • Credential management (including stored passwords)

NoteMost Windows XP security features support both desktop and mobile computers.Those key foundational technologies are not described within this article.For a complete description of security technologies in Windows XP readWhat’s New in Security for Windows XP Professional and Windows XP Home Edition.

Group Policy Objects and Smart Card Authentication

Windows XP Professional offers robust security features to help businesses protect sensitive data and provide support for managing users on the network. One of the great features available in Windows XP Professional is the use of Group Policy objects (GPO).

GPOs allow system administrators to apply a single security profile to multiple computers, and optionally use smart card technology to authenticate users with information stored on a smart card. Unfortunately, mobile computers typically do not include a smart card reader though most mobile computers can support smart card authentication. ForMobile computers without native smart card readers, support for smart cards can be provided by either a PCMCIA or USB-based Smart Card reader

Note In order to use smart card authentication the computer must join a domain.Therefore smart cards cannot be used on a local workgroup machine.

Managing Network Authentication—Guest Account

An increasing number of WindowsXP Professional mobile computers are connected directly to the Internet rather than to domains. This makes proper management of access control (including strong passwords and permissions associated with different accounts) more critical than ever. To ensure security, the relatively anonymous access control settings commonly associated with open Internet environments need to be curtailed.